ATT&CK Deep Dive: Privilege Escalation

Learn how adversaries level up to access sensitive systems and information. Experts from Red Canary, Carbon Black, and MITRE ATT&CK weigh in on how privilege escalation looks on various operating systems and what you should collect to detect it. Why you’ll want to watch the webcast: Get a better understanding of privilege escalation and how it’s being used across operating systems Find out if you have the right tools in place to provide detection coverage Learn useful analytics for observing privilege escalation in your environment Discover additional ways to test and implement actionable detection strategies 00:35 Presenter Introduction 01:11 What is Privilege Escalation? 01:17 “When an adversary tries to gain higher level permissions than they start with. Compared to a normal user, a system or root level user can be used to leverage additional adversary goals like credential dumping or lateral movement” -Sarah 01:37 Webinar Agenda 02:21 Privilege Escalation: Windows 03:12 “In the case of Access Token Manipulation, the adversary’s main goal is to trick the system into believing that the running process belongs to someone other than themselves. It is like stealing someone’s work badge to get into a building you can’t.” -Sarah 03:43 “Bypass User Access Control or UAC is a Windows feature that prevents harmful programs from making changes to a user’s computer by prompting the user for confirmation.” -Sarah 04:40 Collecting Data: Windows 04:56 “What you specifically collect in these instances is really going to depend on what tooling and systems you have in your environment.” -Sarah 05:14 Detecting Behaviors: Windows 05:38 “If a process starts, and a child process with a higher integrity level than the parent is found, then that is probably an indication of privilege escalation.” -Sarah 06:57 Real-World Examples 08:08 “Neither FODHELPER or EVENTVWR normally spawn children, they are usually running under an administrator account. Those are really good indicators for threat hunting and detection in your environment for UAC bypass.” -Cathy 09:07 Privilege Escalation: macOS 09:45 “With macOS, most of the techniques require user interaction. Most of the things you will see in the wild actually require the user to enter a password. The problem is that most of the prompts for escalation pretty much look the same. Attackers are able to make these look however they want.” -Erika 12:32 “The user gets so used to putting their password in for everything that they start not caring or not looking into what it is asking: ‘Do I really want to authorize this application?’ It is very easy to masquerade as a different application.” -Erika 18:13 “On macOS and Linux, you have a larger set of tools—command line tools—that are very powerful.” -Erika 21:34 Collecting Data: macOS 21:45 “Your typical malicious program is going to have to establish some sort of persistence so that when you reboot, it’s going to start up automatically. There are a lot of ways to do that.” -Erika 22:00 “There is a system utility called Log that will collect and filter all of these events. It is very powerful, but also very robust so you need to know what you are looking for.” -Erika 24:20 Detecting Behaviors: macOS 25:23 “You have to look at the events that lead up to the authentication event and the events that happen after.” -Erika 27:52 “One of the most important things for macOS, but also Windows and Linux, is you never should have to re-install Flash Player. If you do, you should go to the Adobe website and download it to verify that it is actually signed by Adobe and is the legitimate copy of it.” -Erika 31:20 “The adversaries almost always have writable access which is the key for temporary directories…being able to write what the adversary wants to then execute.” -Sarah 32:15 Real-World Examples 34:20 “Shlayer would download something then actually decrypt, decode, and then do some other manipulation to a final script. It is a series of scripts that finally downloads the last payload, which is the malicious final payload.” -Erika 36:10 “The Lazarus Group, which is a malicious actor group, has a new implant that is able to do in-memory download and execution of additional software. So it is not even doing something on a command line. That is typically not going to be logged.” -Erika 37:13 “You are more likely to detect the activity that happens after the privilege escalation occurred.” -Cathy 38:02 Privilege Escalation: Linux 42:43 Collecting Data: Linux 43:02 How You Detect It 44:52 Real-World Examples 47:20 Why Privilege Escalation Matters 55:18 Questions & Answers